Emergency mode when root account locked

Post by deandre
My problem is when I try to boot up deepin(Debian 10 buster)

Deepin is not Debian. It's a derivative. Your problems with Deepin
should be asked on a Deepin support list, because the users there will
have more knowledge about your operating system than we do.

Post by deandre
I get the message “cannot open access to console, the root account is locked
See sulogin(8) man for more details” and after I press Enter it continues to
give me the same message, at this point I’m not really sure what to do.
From the original Subject: header, your question is apparently about

something called "emergency mode". I am going to **GUESS** (here,
again, we are not Deepin users and we don't know how Deepin works)
that this is single-user mode, a.k.a. "rescue mode" in Debian, accessed
from the GRUB boot loader menu.

I am also going to guess that Deepin, like Ubuntu, defaults to giving
you a user account with sudo access, and no root password. You can
achieve that in Debian as well, by doing something special during the
installation. In all cases, it's a stupid idea and you shouldn't do it.

If you want to access single-user mode from GRUB, you need a root
password. So set one.

You'd do that by booting normally, then running something like
"sudo passwd root" as your sudo-privileged user.

If you *can't* boot normally (hence your attempts to enter single-user
mode), then you'll need to boot from an installation image, or a
rescue image, or something along those lines. Mount your root partition,
chroot into it, and run "passwd root" to set the root password.

Ask your Deepin mailing list for help doing that if you don't know how.

Andrei POPESCU

2020-12-05 10:50:01 UTC

Post by deandre
My problem is when I try to boot up deepin(Debian 10 buster)

Deepin is not Debian. It's a derivative. Your problems with Deepin
should be asked on a Deepin support list, because the users there will
have more knowledge about your operating system than we do.

While your guess is probably right, just for the archives, there is also
a Deepin Desktop Environment, with several components available already
in buster and many more to come.

https://salsa.debian.org/pkg-deepin-team

Post by Greg Wooledge
I am also going to guess that Deepin, like Ubuntu, defaults to giving
you a user account with sudo access, and no root password. You can
achieve that in Debian as well, by doing something special during the
installation. In all cases, it's a stupid idea and you shouldn't do it.

This is a pretty strong (and harsh!) statement. Care to expand on the
reasons?

Kind regards,
Andrei

--
http://wiki.debian.org/FAQsFromDebianUser

Greg Wooledge

2020-12-07 15:20:02 UTC

This is a pretty strong (and harsh!) statement. Care to expand on the
reasons?

It prevents access to single-user mode. The fact that Debian (and
these others?) still puts a single-user mode entry into the GRUB menu,
knowing that it won't work, is just adding insult to injury.

Even if you plan to use sudo for 99% of your administrative work,
there's still no reason NOT to have a root password, for those emergency
situations where you need one.

Another thing to keep in mind is that you might forget your root
password if you don't use it once in a while. So, you might try to
remember to use "su" or a console root login from time to time, just
to make sure you remember your root password.

Tixy

2020-12-07 15:40:01 UTC

On Mon, 2020-12-07 at 10:11 -0500, Greg Wooledge wrote:
[...]

Post by Greg Wooledge
Another thing to keep in mind is that you might forget your root
password if you don't use it once in a while.

For machines that are personal, single user machines, it just makes
sense to me to use the same password for root as the user. After all,
the root account isn't really protecting anything additional that the
user cares about.

--
Tixy

Andrei POPESCU

2020-12-08 09:00:03 UTC

Post by Tixy
[...]

Post by Greg Wooledge
Another thing to keep in mind is that you might forget your root
password if you don't use it once in a while.

I'm guessing you are referring to this:

https://xkcd.com/1200/

Kind regards,
Andrei

--
http://wiki.debian.org/FAQsFromDebianUser

Tixy

2020-12-08 09:20:01 UTC

Post by Tixy
[...]

Post by Greg Wooledge
Another thing to keep in mind is that you might forget your root
password if you don't use it once in a while.

https://xkcd.com/1200/

Something like that, except I never use hibernate and my disk is
encrypted, so hopefully if someone steals my computer they don't get
anything but the hardware :-)

Also, so I only have one thing to remember my disk encryption
passphrase is also my user and root account password, and I have system
set to automatically login to my account at boot so just have to enter
the passphrase once.

--
Tixy

deloptes

2020-12-08 11:00:03 UTC

Post by Tixy
I never use hibernate and my disk is
encrypted

hibernation works with encryption just fine. I have a problem though with
hibernation+NFS

g***@mailfence.com

2020-12-07 15:40:02 UTC

This is a pretty strong (and harsh!) statement. Care to expand on the
reasons?

It prevents access to single-user mode. The fact that Debian (and
these others?) still puts a single-user mode entry into the GRUB menu,
knowing that it won't work, is just adding insult to injury.
Even if you plan to use sudo for 99% of your administrative work,
there's still no reason NOT to have a root password, for those emergency
situations where you need one.
Another thing to keep in mind is that you might forget your root
password if you don't use it once in a while. So, you might try to
remember to use "su" or a console root login from time to time, just
to make sure you remember your root password.

i was a sys admin for hpux and linux systems for 25 years now retired
having a root password is along the same line as backups for your system
you spend time and money and pray you never have to use it
you set a root password and use it from time to time just in case

Celejar

2020-12-09 00:50:01 UTC

On Mon, 7 Dec 2020 09:30:05 -0600 (CST)
***@mailfence.com wrote:

...

Post by g***@mailfence.com
i was a sys admin for hpux and linux systems for 25 years now retired
having a root password is along the same line as backups for your system
you spend time and money and pray you never have to use it
you set a root password and use it from time to time just in case

But the difference is that if you don't have backups and you do need
them, you're in big trouble. If you don't have a root password and you
need it, you can always mount the disk from another operating
environment, such as a live one, and fix things. A hassle, certainly,
but not nearly as catastrophic as not having backups

Celejar

Fabrice BAUZAC

2020-12-12 00:10:02 UTC

Post by Greg Wooledge
Even if you plan to use sudo for 99% of your administrative work,
there's still no reason NOT to have a root password, for those emergency
situations where you need one.

I've had the bitter taste of it when I had to salvage a virtual machine
for which I had lost access to my non-root account. You'd better have
the root password around.

Keith Bainbridge

2020-12-12 02:50:01 UTC

Post by Fabrice BAUZAC

Post by Greg Wooledge
Even if you plan to use sudo for 99% of your administrative work,
there's still no reason NOT to have a root password, for those emergency
situations where you need one.

I've had the bitter taste of it when I had to salvage a virtual machine
for which I had lost access to my non-root account. You'd better have
the root password around.

AND run sudo as root, for additional safety

--
Keith Bainbridge

***@gmx.com

Andrei POPESCU

2020-12-12 08:40:02 UTC

Post by Fabrice BAUZAC

Post by Greg Wooledge
Even if you plan to use sudo for 99% of your administrative work,
there's still no reason NOT to have a root password, for those emergency
situations where you need one.

I've had the bitter taste of it when I had to salvage a virtual machine
for which I had lost access to my non-root account. You'd better have
the root password around.

AND run sudo as root, for additional safety

Is this supposed to be ironic? I really can't tell.

Kind regards,
Andrei

--
http://wiki.debian.org/FAQsFromDebianUser

Keith Bainbridge

2020-12-12 12:00:02 UTC

Post by Keith Bainbridge
AND run sudo as root, for additional safety

Is this supposed to be ironic? I really can't tell.

There was a detailed discussion here about sudo being a security issue
on our systems. It appears to be default in debian 10, so most of us get
it as default. I looked at replacing sudo.

I found an article that explained how to strengthen it by forcing sudo
to require root password.

If somebody breaks in, they now need my root password to execute
commands that require root permissions (except a couple that I have
given nopasswd privilege).

It's pretty simple. AFTER you have tested your root password

add

Defaults rootpw

to /etc/sudoers

The result:

***@asus3 ***@22:49:38 :~$ sudo nano /etc/sudoers
[sudo] password for root: ***

You'll understand that root password must be working BEFORE you amend
/etc/sudoers

Ironic?

--
Keith Bainbridge

***@gmx.com

Tixy

2020-12-12 13:10:02 UTC

Post by Keith Bainbridge
AND run sudo as root, for additional safety

Is this supposed to be ironic? I really can't tell.

There was a detailed discussion here about sudo being a security issue
on our systems. It appears to be default in debian 10, so most of us get
it as default.

The default sudo install only grants privileges to members of the
'sudo' group, and I believe the installer only adds the initial user
account it creates to that group if you don't specify a root password
at install time. After all, you are going to need some way of gaining
root privileges to administer the system :-)

I'm not even sure 'sudo' gets installed as part of the base system, but
I see it is a 'recommends' of task-desktop, so yes a lot of us will
have it installed by default; but normal users won't be able to use it
until the system administrator changes the config. (Unless some other
Debian package override sudo config??)

I have recommends packages disabled on my system so don't have sudo, so
I just installed it to verify how it behaves. After asking me for my
password it says:

tixy is not in the sudoers file. This incident will be reported.

and sure enough, my 'root' inbox has an email warning me about the
command I was trying to execute.

--
Tixy

Brian

2020-12-12 13:10:02 UTC

Post by Keith Bainbridge
AND run sudo as root, for additional safety

Is this supposed to be ironic? I really can't tell.

There was a detailed discussion here about sudo being a security issue
on our systems. It appears to be default in debian 10, so most of us get
it as default. I looked at replacing sudo.

sudo is set up by default by the installer? You're sure?

--
Brian.

Andrew M.A. Cater

2020-12-12 13:20:01 UTC

Post by Keith Bainbridge
AND run sudo as root, for additional safety

Is this supposed to be ironic? I really can't tell.

There was a detailed discussion here about sudo being a security issue
on our systems. It appears to be default in debian 10, so most of us get
it as default. I looked at replacing sudo.

sudo is set up by default by the installer? You're sure?
--
Brian.

There is a question as to whether you want to set up a root account, I think.
If you choose not to, then you get a normal user account.

If you choose to set up a root user:
If you do _not_ set a root password, then the first user you set up is set up
with sudo. In Ubuntu, this is the default behaviour, for example.

I'll now need to go and check a standard (as distinct from an expert install)

All the very best,

Andy C

Brian

2020-12-12 13:50:02 UTC

Post by Andrew M.A. Cater

Post by Keith Bainbridge
AND run sudo as root, for additional safety

Is this supposed to be ironic? I really can't tell.

There was a detailed discussion here about sudo being a security issue
on our systems. It appears to be default in debian 10, so most of us get
it as default. I looked at replacing sudo.

sudo is set up by default by the installer? You're sure?
--
Brian.

There is a question as to whether you want to set up a root account, I think.
If you choose not to, then you get a normal user account.
If you do _not_ set a root password, then the first user you set up is set up
with sudo. In Ubuntu, this is the default behaviour, for example.

Template: passwd/root-login
Type: boolean
Default: true
Description: Allow login as root?
If you choose not to allow root to log in, then a user account will be
created and given the power to become root using the 'sudo' command.

Post by Andrew M.A. Cater
I'll now need to go and check a standard (as distinct from an expert install)

Default: true

--
Brian.

Kenneth Parker

2020-12-12 16:40:01 UTC

Post by Andrew M.A. Cater

Post by Keith Bainbridge
AND run sudo as root, for additional safety

Is this supposed to be ironic? I really can't tell.

There was a detailed discussion here about sudo being a security issue
on our systems. It appears to be default in debian 10, so most of us

get

Post by Keith Bainbridge
it as default. I looked at replacing sudo.

sudo is set up by default by the installer? You're sure?
--
Brian.

I use Ubuntu (as well as "pure Debian"). When I install Ubuntu, it does
not even give an *option* for a Root Password. The Username that you give
during Install goes into the Sudoers list (but not Users defined later).
Since I have my own method of System Administration, one of the first
things I do, after the first Reboot is "sudo passwd root" and, after
completion, I am a happy camper.

I'll now need to go and check a standard (as distinct from an expert

Post by Andrew M.A. Cater
install)

I am setting up a Virtual Bullseye Cinnamon system later today. I will,
also use "standard install". Between us, we should be able to answer
followup questions.

Post by Andrew M.A. Cater
All the very best,
Andy C

Thanks!

Kenneth Parker

Andrew M.A. Cater

2020-12-12 17:20:02 UTC

Post by Kenneth Parker

Post by Andrew M.A. Cater

Post by Keith Bainbridge
AND run sudo as root, for additional safety

Is this supposed to be ironic? I really can't tell.

There was a detailed discussion here about sudo being a security issue
on our systems. It appears to be default in debian 10, so most of us

get

Post by Keith Bainbridge
it as default. I looked at replacing sudo.

sudo is set up by default by the installer? You're sure?
--
Brian.

I use Ubuntu (as well as "pure Debian"). When I install Ubuntu, it does
not even give an *option* for a Root Password. The Username that you give
during Install goes into the Sudoers list (but not Users defined later).
Since I have my own method of System Administration, one of the first
things I do, after the first Reboot is "sudo passwd root" and, after
completion, I am a happy camper.
I'll now need to go and check a standard (as distinct from an expert

Post by Andrew M.A. Cater
install)

On a "normal" as opposed to an Advanced/expert install, it prompts you to give a password for a root user.
If you effectively tab through this, not setting a password at all, then you
get a normal user account.

Andy C

Post by Kenneth Parker
I am setting up a Virtual Bullseye Cinnamon system later today. I will,
also use "standard install". Between us, we should be able to answer
followup questions.

Post by Andrew M.A. Cater
All the very best,
Andy C

Thanks!
Kenneth Parker

Brian

2020-12-12 17:50:01 UTC

Post by Andrew M.A. Cater
On a "normal" as opposed to an Advanced/expert install, it prompts you to give a password for a root user.
If you effectively tab through this, not setting a password at all, then you
get a normal user account.

Hardly surprising, given what user-setup-udeb is designed to do.

--
Brian.

Andrei POPESCU

2020-12-12 19:00:02 UTC

Post by Keith Bainbridge
AND run sudo as root, for additional safety

Is this supposed to be ironic? I really can't tell.

To my non-native understanding of English "run foo as root" usually
means one first gains root privileges (by whatever means) and then runs
that program with the elevated privileges.

In the context of the text you were replying to it seemed to me you
might just be ironic (though admittedly I did also consider you might be
referring to the 'targetpw' option in 'sudoers').

Post by Keith Bainbridge
If somebody breaks in, they now need my root password to execute
commands that require root permissions (except a couple that I have
given nopasswd privilege).

If a user's normal account is compromised most of what matters is
already compromised as well. The root access is just icing on the cake
and can be easily obtained with a keylogger (which an attacker would
need anyway for the all the other goodies).

https://xkcd.com/1200/

Otherwise a probably quite simple 'sudo' script[1] in ~/.local/bin
should do the trick as well: present a password prompt, save the
password somewhere safe, pretend to fail and then call the real
'sudo'[3].

After all, how many users are calling 'sudo' with the full path?

Instead I would suggest admin tasks should be performed from a dedicated
*normal* account, using sudo just for those commands that require
elevated privileges.

This provides some additional security, while also being slightly safer
from accidental mistakes than logging in as root directly.

[2] which by default is added to $PATH on Debian.
[1] If I'm bored enough I might just write such a script myself.
[3] and maybe deletes itself to remove traces

Kind regards,
Andrei

--
http://wiki.debian.org/FAQsFromDebianUser

Brian

2020-12-12 20:20:01 UTC

Post by Keith Bainbridge
AND run sudo as root, for additional safety

Is this supposed to be ironic? I really can't tell.

To my non-native understanding of English "run foo as root" usually
means one first gains root privileges (by whatever means) and then runs
that program with the elevated privileges.

That is my understanding too.

Post by Andrei POPESCU
In the context of the text you were replying to it seemed to me you
might just be ironic (though admittedly I did also consider you might be
referring to the 'targetpw' option in 'sudoers').

Keith Bainbridge argument begins with a complete misunderstanding of
the role of sudo in the installer. It then mentions an article that
is not referenced. Two fails.

--
Brian.

Alex Mestiashvili

2020-12-12 14:20:02 UTC

Not sure is that was already answered, since I lost track of the thread.
But resetting the root password is just matter of booting with root
partition it rw mode and init=/bin/bash isn't?

Post by Fabrice BAUZAC

Post by Greg Wooledge
Even if you plan to use sudo for 99% of your administrative work,
there's still no reason NOT to have a root password, for those emergency
situations where you need one.

I've had the bitter taste of it when I had to salvage a virtual machine
for which I had lost access to my non-root account. You'd better have
the root password around.

Marco Möller

2020-12-12 14:40:02 UTC

Post by Alex Mestiashvili
Not sure is that was already answered, since I lost track of the thread.
But resetting the root password is just matter of booting with root
partition it rw mode and init=/bin/bash isn't?

It is not even required to mount your disk from other hardware. Simply
boot to the grub menu and set this boot parameter:
init=/sbin/sulogin --force

As long as someone has physical access to the Debian carrying disk, you
can always break into the system! In this case for restoring your access
options, but of course in other cases this could also be used for evil
things.
In order to prevent the evil access option you need to activated disk
encryption. To my knowledge this cannot be bypassed as easily as simply
gaining root access on an unencrypted system. But of course, if you now
forget your decryption passphrase, then your system is gone for ever,
also no more accessible by mounting the disk in another system. If you
now would have a problem with the root password or sudo setup, you would
for sure still need the disk decryption passphrase, and only afterwards
could help yourself with the mentioned boot parameter.
Best wishes, Marco.

Alex Mestiashvili

2020-12-12 14:50:02 UTC

Post by Marco MÃ¶ller

It is not even required to mount your disk from other hardware. Simply
init=/sbin/sulogin --force
As long as someone has physical access to the Debian carrying disk, you
can always break into the system! In this case for restoring your access
options, but of course in other cases this could also be used for evil
things.
In order to prevent the evil access option you need to activated disk
encryption. To my knowledge this cannot be bypassed as easily as simply
gaining root access on an unencrypted system. But of course, if you now
forget your decryption passphrase, then your system is gone for ever,
also no more accessible by mounting the disk in another system. If you
now would have a problem with the root password or sudo setup, you would
for sure still need the disk decryption passphrase, and only afterwards
could help yourself with the mentioned boot parameter.
Best wishes, Marco.

Hi thanks for the hint, never considered "/sbin/sulogin --force" so far,
good to know. I normally also set grub password, so one can't edit that
easily grub entries. And use full disk encryption for laptops.

Best,
Alex

deloptes

2020-12-12 23:50:02 UTC

yes, it is - more problematic is the password of the encrypted drive - you
really have to memorize it good, or write it down and lock it in the safe

Andrei POPESCU

2020-12-14 11:20:01 UTC

Package: release-notes
X-Debbugs-CC: debian-***@lists.debian.org

Dear Release Notes Maintainers,

Some text based on below would make sense for the Release Notes for
buster. If agreed I'll try to come up with a wording.

This is a pretty strong (and harsh!) statement. Care to expand on the
reasons?

It prevents access to single-user mode. The fact that Debian (and
these others?) still puts a single-user mode entry into the GRUB menu,
knowing that it won't work, is just adding insult to injury.

A web search found #802211[1].

Short version:

For systemd >= 240 (buster[2]) run as root

systemctl edit rescue.service

and add:

[Service]
Environment=SYSTEMD_SULOGIN_FORCE=1

(see /usr/share/doc/systemd/ENVIRONMENT.md.gz)

The 'rescue.service' is started by systemd in case it detects 'single'
on the kernel command line (see systemd(1)).

You might want to do the same for 'emergency.service' as well (or
instead), since this service is started *automatically* in case of
certain errors (see systemd.special(7)) or if you add 'emergency' to the
kernel command line (e.g. if you can't fix your system via the 'rescue'
service).

An untested patch to the Debian Installer exists to add both snippets if
the user chooses to leave the root password blank.

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802211
[2] see the bug for another snippet that should work for squeeze or
earlier.

Kind regards,
Andrei

--
http://wiki.debian.org/FAQsFromDebianUser

nickgeovanis

2020-12-14 12:40:02 UTC

Thanks Andrei.

Post by Andrei POPESCU
Package: release-notes
Dear Release Notes Maintainers,
Some text based on below would make sense for the Release Notes for
buster. If agreed I'll try to come up with a wording.

it.

Post by Andrei POPESCU
This is a pretty strong (and harsh!) statement. Care to expand on the
reasons?

It prevents access to single-user mode. The fact that Debian (and
these others?) still puts a single-user mode entry into the GRUB menu,
knowing that it won't work, is just adding insult to injury.

A web search found #802211[1].
For systemd >= 240 (buster[2]) run as root
systemctl edit rescue.service
[Service]
Environment=SYSTEMD_SULOGIN_FORCE=1
(see /usr/share/doc/systemd/ENVIRONMENT.md.gz)
The 'rescue.service' is started by systemd in case it detects 'single'
on the kernel command line (see systemd(1)).
You might want to do the same for 'emergency.service' as well (or
instead), since this service is started *automatically* in case of
certain errors (see systemd.special(7)) or if you add 'emergency' to the
kernel command line (e.g. if you can't fix your system via the 'rescue'
service).
An untested patch to the Debian Installer exists to add both snippets if
the user chooses to leave the root password blank.
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802211
[2] see the bug for another snippet that should work for squeeze or
earlier.
Kind regards,
Andrei
--
http://wiki.debian.org/FAQsFromDebianUser

Alexander V. Makartsev

2021-03-21 08:50:02 UTC

[Bcc: debian-boot]
Dear Debian-User subscribers,
The Release Notes editor is asking whether this is still an issue for
bullseye (i.e. if the patch to Debian Installer mentioned below was
applied in the meantime).
It will be a while until I get to check that. If someone can confirm
either way please write to #977358.
Full quote below for context.
Thanks,
Andrei

This is still an issue for bullseye. Patch was not applied, but solution
works if you apply it manually after OS installation.
I've tested it on latest weekly build (debian-testing-amd64-netinst.iso).

--
With kindest regards, Alexander.

â¢â£Žâ Ÿâ »â¢¶â£Šâ
â£Ÿâ â¢ â â â£¿â¡ Debian - The universal operating system
â¢¿â¡â â ·â â â https://www.debian.org
â â ³â£â â â â

Marco Möller

2020-12-05 14:10:01 UTC